A vital vulnerability in Cursor IDE, the quickly rising AI-powered growth surroundings, permits persistent distant code execution by manipulation of the Mannequin Context Protocol (MCP) system.
The vulnerability, tracked as CVE-2025-54136 and dubbed “MCPoison,” exploits a belief validation flaw that enables attackers to execute arbitrary instructions on developer machines with out triggering safety warnings.
Cursor IDE has emerged as some of the standard AI-assisted growth platforms, combining conventional code modifying with deep massive language mannequin (LLM) integrations.
The platform’s enchantment lies in its subtle automation capabilities, significantly by MCP configurations that allow seamless execution of growth workflows involving distant APIs, LLM-generated instructions, and native system operations.
The vulnerability stems from a basic flaw in Cursor’s belief validation mannequin for MCP execution.
Researchers found that whereas Cursor requires preliminary consumer approval for MCP configurations, any subsequent modifications to permitted configurations are robotically trusted with out further validation or consumer consent.
This creates a harmful assault vector the place a single approval could be exploited for persistent, silent code execution.
MCPoison Assault Bypasses
The MCPoison assault follows a deceptively easy however extremely efficient sample. Attackers first commit a benign MCP configuration file (.cursor/guidelines/mcp.json) to a shared repository containing innocent instructions equivalent to primary system utilities.
When builders open the mission in Cursor, they encounter a normal approval immediate and, seeing the innocuous command, approve the MCP configuration.
The vital vulnerability emerges after this preliminary approval. Cursor binds belief solely to the MCP key title moderately than verifying the underlying command or arguments.
This implies attackers can later modify the identical MCP entry to execute arbitrary system instructions, together with reverse shells, information exfiltration instruments, or persistent backdoors. These modifications execute silently each time the developer reopens Cursor, making a persistent assault vector.
Test Level researchers demonstrated the vulnerability’s severity by deploying a reverse shell payload that prompts robotically at any time when the sufferer launches the IDE.
The payload stays persistent throughout repository synchronizations and mission reopenings, successfully turning the trusted growth surroundings into an automatic assault platform.
Cursor’s MCP system shops project-specific configurations in .cursor/guidelines/mcp.json information, with every entry defining an MCP title, command, and elective arguments. The platform robotically scans the .cursor/ listing upon mission launch and processes any MCP-related configurations found.
The belief mechanism operates by a one-time approval mannequin the place customers are prompted to authorize MCP configurations on first encounter.
Nevertheless, the system fails to implement change detection for permitted configurations, permitting attackers to substitute malicious instructions whereas preserving the unique MCP title that acquired approval.
This architectural flaw permits subtle provide chain assaults in collaborative growth environments. A malicious actor with repository write entry can set up a foothold by an initially innocent MCP configuration, then escalate privileges by silent command substitution with out requiring further consumer interplay.
Test Level Analysis responsibly disclosed the vulnerability to Cursor’s growth staff on July 16, 2025. The corporate responded promptly, issuing model 1.3 on July 29, 2025, which addresses the core vulnerability by implementing obligatory approval prompts for any modifications to MCP configurations.
The repair ensures that even minor modifications, equivalent to including a single area character, set off new authorization necessities.
Whereas Cursor’s launch notes didn’t explicitly point out the safety patch, unbiased testing by Test Level researchers confirmed the vulnerability’s remediation
Customers should now explicitly approve or reject any modified MCP configuration earlier than execution, closing the belief bypass that enabled the MCPoison assault.
The disclosure represents the primary in a deliberate sequence of vulnerability assessments concentrating on AI growth platforms. As AI-assisted coding instruments change into more and more built-in into software program growth workflows, safety researchers are figuring out novel assault vectors that exploit the intersection of synthetic intelligence, automation, and conventional software program safety boundaries.
Safety consultants notice that the MCPoison assault demonstrates how AI methods’ reliance on automation and trust-based workflows could be weaponized towards the very customers they’re designed to help.
Organizations utilizing Cursor IDE ought to instantly replace to model 1.3 or later to guard towards MCPoison exploitation.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
